View
1
Download
1
Category
Preview:
Citation preview
Lightweight Sponge Stream F-FCSR f -function Analysis
The GLUON family: a lightweight Hash functionfamily based on FCSRs
T. P. Berger1, J. D’Hayer2, K. Marquet2, M. Minier2, G.Thomas1
1XLIM (UMR CNRS 7252), Limoges 2, CITI INRIA, INSA-Lyon
Africacrypt 2012, Ifrane, 10-12 July 2012
This work was partially supported by the French National Agency of Research: ANR-11-INS-011.
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 1 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Lightweight cryptography
Rules of Lightweight cryptography
Hardware implementation (or limited software e.g. 8 bitsprocessors)
Limited resources. Upper Bound: 10 000 GE (gateequivalents), objective: around 3 000 GE
Tradeoff between Security / Area / Power Consumption /Throughput
→ No use of lookup tables. No AES-like processes. Replacedby iterative computations
→ Variable security levels: 64 bits, 80 bits, 112 bits...
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 2 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
The sponge model for hash functions
Introduced in 2008 by G. Bertoni, J. Daemen, M. Peeters, andG. Van Assche.
Generic proved criteria for the design of hash functions underthe assumption that the internal function is random.
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 3 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
1 Initialization: Message padded by appending a ’1’ bit andsome 0.
2 Absorbing phase: XOR of the r -bit message blocks,interleaved with applications of the f function.
3 Squeezing phase: Output of r bits of the state, interleavedwith applications of the f function.
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 4 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Sponge security
n size of the output
r size of the input/output part of the automaton
c size of the internal part of the automaton
Under the assumptions f is a random function and 2n ≤ cthe resistance of sponge construction is:
Collision: 2n/2
Preimage: 2n
Second preimage: 2n
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 5 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
f : function or permutation?
No Matter!
Deal: how to construct an efficient f function which looks likerandom?
More generally, for Lightweight cryptography,How to construct large Sbox what are iteratively computed?(more than 64 bits of input/output)
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 6 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
f : function or permutation?
No Matter!
Deal: how to construct an efficient f function which looks likerandom?
More generally, for Lightweight cryptography,How to construct large Sbox what are iteratively computed?(more than 64 bits of input/output)
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 6 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
f : function or permutation?
No Matter!
Deal: how to construct an efficient f function which looks likerandom?
More generally, for Lightweight cryptography,How to construct large Sbox what are iteratively computed?(more than 64 bits of input/output)
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 6 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
f : function or permutation?
No Matter!
Deal: how to construct an efficient f function which looks likerandom?
More generally, for Lightweight cryptography,How to construct large Sbox what are iteratively computed?(more than 64 bits of input/output)
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 6 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
From Stream Ciphers to functions
A generic construction:
If one have an “ideal pseudo-random generator” with a secret keyof size k
Input: a message m of k bits
Initialize the pseudo-random generator with m
Output: the first k bits of the pseudo-random sequence
⇒f is not necessary a permutation, but a random function.
In the true life: non “ideal pseudorandom generators”only hardware or software dedicated stream ciphers.For example the lightweight hash function Quark is essentiallybased on the design of the hardware stream cipher GRAIN.
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 7 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
FCSR automata
FCSR : Feedback with Carry Shift Registerclose to LFSR
m7 m6 m5 m4 m3 m2 m1 m0� � � �
c5 c3 c2 c1
But with carries propagations ⇒ 2-adic theory
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 8 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
FCSR automata
FCSR : Feedback with Carry Shift Registerclose to LFSR
m7 m6 m5 m4 m3 m2 m1 m0� � � �
c5 c3 c2 c1
But with carries propagations ⇒ 2-adic theory
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 8 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
F-FCSR Stream Cipher family
F-FCSR steam ciphers are filtered FCSR automata with a linearfilter.
m7 m6 m5 m4 m3 m2 m1 m0� � � �
XOR
S(t)
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 9 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Design of FCSR for cryptographic applications
A FCSR automaton must fulfill some requirements:
Resistance to LFSRization (Cryptanalysis of Hell, Johannson)Avoid Galois and Fibonacci modes
Efficient hardware implementations: ring structure withfan-out and span less or equal to 2
Efficient software implementations on dedicated structures:use of blocks of size 8 bits (or 16 bits....)
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 10 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
FCSR automaton for GLUON 64
m0m1m2m3m4m5
m6
m7
m8
m9 m10 m11 m12 m13 m14
m15
m16
m17
�
���
�
�
�
� � �
�
�
�5
�3
�5
�1
�3
�6
c0c2c3
c5
c6
c8
c11 c12 c13
c14
c16
c17
18 blocs of 8 bits
FCSR of 144 bits
+ 73 bits of carries
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 11 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
FCSR automaton for GLUON 64
m0m1m2m3m4m5
m6
m7
m8
m9 m10 m11 m12 m13 m14
m15
m16
m17
�
���
�
�
�
� � �
�
�
�5
�3
�5
�1
�3
�6
c0c2c3
c5
c6
c8
c11 c12 c13
c14
c16
c17
18 blocs of 8 bits
FCSR of 144 bits
+ 73 bits of carries
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 11 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Characteristics of the automaton
Connection integer:q = −27013336179990468777742546164977981767038829
q is prime
Order of 2 mod q: 1− q ⇒ m-sequences
Diameter (diffusion delay): 29
Number of cells of the main register: 144
Number of cells of the carry register: 73
Optimized for hardware and software implementations
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 12 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Details of the f -function for GLUON 64
Input: 17 blocs S0, ... S16 of 8 bits: 136 bits
Initialization:Carry register: all-zero stringMain register: Mi := Si , for i = 0 to 16M17 := (11111111)
State update: d + 4 = 33 iterations of the FCSR
Output: 17 iterations of the FCSR, extraction of 8 bits ateach iteration with a linear filter ⇒ 17 blocs of 8 bits
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 13 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
The sponge construction: one round of absorbing phase
s0
s1
s2
s16
s17
INPUT
m0
m1
m2
m16
m17
m18
m0
m1
m2
m16
m17
m18
m0
m1
m2
m16
m17
m18
⊕
11...1
s0
s1
s2
s16
s17
p(t)
33 rounds
of FCSR
17 rounds
of FCSROUTPUT
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 14 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
The sponge construction: one round of squeezing phase
s0
s1
s2
s16
s17
INPUT
m0
m1
m2
m16
m17
m18
m0
m1
m2
m16
m17
m18
m0
m1
m2
m16
m17
m18
11...1
s0
s1
s2
s16
s17
33 rounds
of FCSR
17 rounds
of FCSROUTPUT
z(t)
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 15 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
GLUON variants
Version Security Output size r c FCSR sizeGLUON-64 64 128 8 128 17×8GLUON-80 80 160 16 160 12×16GLUON-112 112 224 32 224 9×32
The underling FCSRs are chosen to be m-sequences and havea sufficient number of carries
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 16 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
GLUON variants
Version Security Output size r c FCSR sizeGLUON-64 64 128 8 128 17×8GLUON-80 80 160 16 160 12×16GLUON-112 112 224 32 224 9×32
The underling FCSRs are chosen to be m-sequences and havea sufficient number of carries
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 16 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Security Level
Collision attack and preimage attackCombinatorial explosion when trying to inverse the f function⇒ (second) preimage: 23wr/2 > 23n/2, collision:23wr/4 > 23n/2
Cube attacks and Cube testers[BM 05]: No particular structure for the ANF of a FCSRExample: Galois FCSR of length 16 bits, after 7 clocks,
nb monomials of degree ≥ 10 = 125420
Linear and differential attacks
Linear attacks discarded by design of word ring FCSRsDifferential properties are largely spread by the sufficientnumber of clocks
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 17 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Security Level
Collision attack and preimage attackCombinatorial explosion when trying to inverse the f function⇒ (second) preimage: 23wr/2 > 23n/2, collision:23wr/4 > 23n/2
Cube attacks and Cube testers[BM 05]: No particular structure for the ANF of a FCSRExample: Galois FCSR of length 16 bits, after 7 clocks,
nb monomials of degree ≥ 10 = 125420
Linear and differential attacks
Linear attacks discarded by design of word ring FCSRsDifferential properties are largely spread by the sufficientnumber of clocks
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 17 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Security Level
Collision attack and preimage attackCombinatorial explosion when trying to inverse the f function⇒ (second) preimage: 23wr/2 > 23n/2, collision:23wr/4 > 23n/2
Cube attacks and Cube testers[BM 05]: No particular structure for the ANF of a FCSRExample: Galois FCSR of length 16 bits, after 7 clocks,
nb monomials of degree ≥ 10 = 125420
Linear and differential attacks
Linear attacks discarded by design of word ring FCSRsDifferential properties are largely spread by the sufficientnumber of clocks
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 17 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Performances (1/2)
Hardware performances
Hash function Security Block Area Lat. Thr.Pre. Coll. [bits] [GE] [cycles] kbps
GLUON-64 128 64 8 2071 66 12.12
GLUON-80 160 80 16 2799.3 50 32
GLUON-112 224 112 32 4724 55 58.18
U-QUARK×8 128 64 8 2392 68 11.76
D-Quark×8 160 80 16 2819 88 18.18
S-Quark×16 224 112 32 4640 64 50.00
PHOTON-80 160 80 16 1168 132 12.15
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 18 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Performances (2/2)
Software performances in cycles per byte
GLUON-64 17319
U-QUARK 43373
GLUON-80 8523
D-QUARK 35103
PHOTON-80 1243
GLUON-112 1951
S-QUARK 25142
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 19 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Conclusion
...New lightweight design
Based on a well known primitive: word ring FCSR
Well known properties
Flexible, depending on applications (hardware, software 8bits...)
New lightweight design...
Please, try to attack!
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 20 / 20
Lightweight Sponge Stream F-FCSR f -function Analysis
Conclusion
...New lightweight design
Based on a well known primitive: word ring FCSR
Well known properties
Flexible, depending on applications (hardware, software 8bits...)
New lightweight design...
Please, try to attack!
T. P. Berger, J. D’Hayer, K. Marquet, M. Minier, G. Thomas GLUON: lightweight hash functions based on FCSRs 20 / 20
Recommended